I want to solve my own issue. After hours and hours of testing things out, the problem was rather simple. I just had to go to the OpenVPN Server settings -> Tunnel Settings -> IPv4 Local network(s) and just add my WAN network to the list. I guess that's why it never showed up in the logs. Because it wasn't ever blocked by the firewall. The VPN-users just never had any access to it I still can't login via my LAN-net IP. Not sure why that doesn't work, still. but it works via HAproxy. So maybe it's an http/https issue

OK, so there is no way. Thanks again!

Interestingly, when I went to upgrade the openvpn-client-export, the upgrade hung on, "Please wait while the update system initializes." I gave it some time and then clicked back to Installed Packages tab and it looked like it installed. As a test, I removed the openvpn-client-export and the same hang occurred, "Please wait while the update system initializes." I gave it some time and then clicked back to the Installed Packages tab and it looks like it was removed. I then went to the Available Packages tab and installed the openvpn-client-export and the Package Installer tab showed the installation process all the way to "Success." Odd...I remember when an upgrade or removal showed the process, not just the install.

@viragomann Got it working. Thank you!

I "solved" the problem as follows: The operating system on my remote computer is Windows10 and my installed version of the TAP Windows adaptor is 9.25. In desperation, I also installed an older verson 9.21 which I found on the Internet. Suddenly the 9.25 adaptor started working and I have had no problems ever since. I can disable the 9.25 version, and the 9.21 version works. I can disable the 9.21 version and the 9.25 version works. Obviously I don't understand this but my VPN is working now and I can successfully communicate with the office from my remote computer. I am not an operating system or networking expert and I don't understand all of the fine details of a VPN. But my simple VPN is working and I am happy. Thanks to everybody who tried to help me.

Glad you have it working now. -Rico

I would go a road like that Write information useded in that email into a text file Send this file via cron to another machine Doin the reporting stuff there Sounds like a nice project

Many thanks to all who provided assistance. Here is the finished script for anyone who may want to use/adapt it. If anyone wants to review/ provide suggestions or sees that I've done anything that could cause issues, please feel free to do so. #!/bin/sh # # restartvpn: Restart the OpenVPN client if it is down. The restart is supressed # if the WAN is down. # # -f / -F : Force: Force reset even if VPN is not down # -q / -Q : Quiet: Supress printed output # WAN_ID='WAN_DHCP' # WAN Gateway ID String VPN_IDs='XXXXX_VPNV4' # VPN Gateway ID Strings (Separate with a space) VPN_GWs='1' # VPN Client ID of gateway GW_DOWN='down' # Gateway down status string # -q / -Q : Quiet: Supress printed output silent=$(echo $@- | awk '{print (/-[qQ]/ ? 1 : 0)}') # -f / -F : Force: Force reset even if VPN is not down force=$(echo $@ | awk '{print (/-[fF]/ ? 1 : 0)}') restartvpn(){ # # Restart VPN client $VPN_GW # WD=$([ "$WAN_STAT" = "$GW_DOWN" ] && echo "WAN DOWN:" || echo "") FC=$([ $force -eq 1 ] && echo "FORCED:" || echo "") msg=$(echo $(date +%y/%m/%d-%H:%M:%S-)${ID}-${WD}${FC}$(/usr/local/sbin/pfSsh.php playback svc restart openvpn client $VPN_GW)) [ $silent -eq 0 ] && echo $msg logger "***** ${msg}" } gwstat=$(pfSsh.php playback gatewaystatus) WAN_STAT=$(echo "$gwstat" | awk '/'$WAN_ID'/{print $NF}') PUBLIC_IP=$(echo "$gwstat" | awk '/'$WAN_ID'/{print $3}') if [ $silent -eq 0 ];then echo -e "$(basename $0) - Public IP: $PUBLIC_IP - $(date)\n\n$gwstat\n" fi if [ "$WAN_STAT" = "$GW_DOWN" -a $force -eq 0 ];then msg=$(echo "$(date +%y/%m/%d-%H:%M:%S-)WAN is down-VPN restart not attempted.") [ $silent -eq 0 ] && echo $msg logger "***** ${msg}" return 1 fi gw=1 for ID in $VPN_IDs;do VPN_STAT=$(echo "$gwstat" | awk '/'$ID'/{print $NF}') VPN_GW=$(echo $VPN_GWs|cut -w -f $gw) if [ -n "$VPN_STAT" ];then [ $silent -eq 0 ] && echo VPN Gateway: $ID - $([ "$VPN_STAT" = "$GW_DOWN" ] && echo "DOWN" || echo "UP") if [ "$VPN_STAT" = "$GW_DOWN" -o $force -eq 1 ];then restartvpn return 1 fi else [ $silent -eq 0 ] && echo No active gateway $ID fi gw=gw+1 done

That NAT must be done on the client side, as others have stated, but since you are using OpenVPN there is a chance you can pull it off. I have not tried this but OpenVPN also has built-in NAT: --client-nat snat|dnat network netmask alias This pushable client option sets up a stateless one-to-one NAT rule on packet addresses (not ports), and is useful in cases where routes or ifconfig settings pushed to the client would create an IP numbering conflict. network/netmask (for example 192.168.0.0/255.255.0.0) defines the local view of a resource from the client perspective, while alias/netmask (for example 10.64.0.0/255.255.0.0) defines the remote view from the server perspective. Use snat (source NAT) for resources owned by the client and dnat (destination NAT) for remote resources. So you could try this in the client config: client-nat dnat 10.100.0.0/255.255.255.0 192.168.0.0/255.255.255.0 That could be pushed in a client-specific override as well.

@JKnott The pfsense is used as only a VPN box, it is not used as a gateway by any other equipment. I think i should have mentioned this in the beginning. The pfsense only has an interface on that subnet with an IP. Like i mentioned, right now what i set up is working. But this does not get to the question i was asking, which is if i can change the server virtual ip address which the openvpn raises on the interface, disregarding on what i am trying to implement or not.

Hi, I had this working but changed the OpenVPN Settings recently to not route all traffic through the vpn and it has stopped working. Once I resolve the VPN Issue I will confirm the full configuration to help others out. Regards,

Well, after other issues that were blocking the project, nat for me worked as I described above: nterface: VPN (interface aded in interface> add ovpns) External subnet IP: 172.16.8.0 Internal IP: 192.168.0.0/24 I comment it in case someone comes across the post and it serves. Thank you very much for the answers.

I use CSO already. Site A has a route entry for the remote site, rest is set by CSO route 172.16.254.0 255.255.255.0; Site B does not have any routes they are set by CSO Server has this: route 172.16.254.0 255.255.255.0 192.168.98.2; route 172.16.0.0 255.255.254.0 192.168.98.3; I need this, to get the packets back to the OpenVPN interface CSO for Site A on server is this: iroute 172.16.0.0 255.255.254.0; ifconfig-push 192.168.98.2 255.255.254.0; i need to set static IP's for the route entry in the previous step CSO for Site B on server is this: iroute 172.16.254.0 255.255.255.0; push "route 172.16.0.0 255.255.254.0"; ifconfig-push 192.168.98.3 255.255.254.0; reason for the difference of site A and B is that Site A have the Option "don't pull routes enabled". So instead of a push route in CSO, i have the route option on the client directly. It is working like this. However, I have the feeling that it should be possible without setting static tunel IP's. If i use the remote network box, the routes that are added are then pointing all to the same tunnel. Btw. is there any way to show the learned OpenVPN iroutes. The only way i found was via the logs which is a pain if you miss the correct moment.

@jimp Hi again! I have been checking some points like LAN router NAT, and server configs and through the packet capture on pfsense I've found this capturing OpenPVN packets: 15:01:08.596584 IP 192.168.168.2.51978 > 192.168.168.10.3389: tcp 0 15:01:08.596607 IP 192.168.168.2.51978 > 192.168.168.10.3389: tcp 0 15:01:08.596617 IP 192.168.168.1 > 192.168.168.2: ICMP redirect 192.168.168.10 to host 192.168.168.2, length 72 where 192.168.168.2 its a wan connection over Open VPN(my phone) and 192.168.168.10 is the remote machine with RDP (WS2019), 192.168.168.1 is the LAN router. Look at the TCP 0??? What means? With firewall always disabled to test connections and no AV's and after 2 days testing several things, I've found 3 different scenarios: RDP from LAN to LAN works on any computer. (W10Pro and WS 2019) RDP from WAN to LAN works in a W10Pro but not in a WS2019 Datacenter only with Remote access (NO RDS) and same ip or network than W10Pro directly by default port 3389. Tested with a PC the error reported is: "internal Error" and tested with my phone the error is: 0x4 or 0x104 3.RDP from WAN to LAN over OpenVPn doesn't work in any computer at default port 3389, same errors. Note the different OS behavior!!. CONFIGS: OPEN VPN WAN UDP4 / 1194 192.168.168.0/27 Crypto: AES-256-GCM/SHA512 D-H Params: 4096 bits OPEN VPN (tun3) IPv4 Tunnel Network 192.168.168.0/27 OUTBOUND NAT MODE:  WAN 127.0.0.0/8 ::1/128 172.16.16.0/24 192.168.168.0/27 * * 500 WAN address *  Auto created rule for ISAKMP  WAN 127.0.0.0/8 ::1/128 172.16.16.0/24 192.168.168.0/27 * * * WAN address *  Auto created rule PORT FORWARD: WAN TCP * * WAN address 3389 (MS RDP) 172.16.16.1 3389 (MS RDP) RDP OPEN VPN RULES: IPv4 * * * * * * none OpenVPN OPEN VPN wizard WAN RULES: IPv4 UDP * * 10.10.10.11 1194 (OpenVPN) * none OPEN VPN Any idea? Do you need some specific info? Thank you very much!!

On the Zyxel side do I have to add routes?

Thank you so much, jimp! So I was looking for the solution in the wrong place. I'm sorry for the mistake.